Metadata raises legal risks

In 2000, global health care company Merck deleted information concerning the heart attack risk associated with the arthritis drug Vioxx from an article it was about to submit to a medical journal. The changes in the electronic document, hidden from view, were revealed five years later, after the journal’s editor learned during a deposition in a Vioxx product liability lawsuit that an earlier version of the article had more information on heart attack risk. The editor retrieved the original file, uncovered the deleted information and made a public announcement of the discovery.

Such hidden information in e-documents is called metadata, which is defined as “data about data,” and may reveal the identity of the author, when the document was written and changed, as well as a short summary, according to Scott Smull, CEO of software vendor Workshare.

“In Microsoft Word, Excel and PowerPoint, the ability to add comments and track changes can be very helpful to users collaborating on a document,” says Smull. “However, changes that are not accepted still remain with the document, even though they appear to be invisible. These changes can easily be displayed by turning on the ‘Show Markup’ view. This can result in embarrassing situations where external parties see information that was not intended for their eyes.”

The Vioxx story is one of several examples of companies facing legal and public relations setbacks from the release of metadata. But the ethical responsibility of lawyers who inadvertently release metadata or receive information intended to be confidential remains unsettled.

Sender’s Responsibility

The dozen state bars that have issued ethics opinions have focused on three issues: the sender’s responsibility when transmitting electronic data including metadata; the recipient’s duty to notify the sender when metadata is inadvertently received; and the recipient’s right to examine such files. These issues generally arise when data is transmitted in transactional matters.

The inadvertent disclosure of information [by attorneys] has been a problem that has existed for decades,” says Andrew Perlman, Suffolk University Law School professor and chief reporter for the American Bar Association’s (ABA) Commission on Ethics 20/20. In general, state bar opinions addressing metadata conform to their state’s previous opinions concerning attorneys’ inadvertent disclosure of information by traditional methods such as postal mail and fax.

“In my personal opinion,” says Perlman, “that is the right way to think about it. Inadvertently disclosed metadata should be viewed in the same way as other inadvertently disclosed information.”

All jurisdictions that have published metadata ethics opinions agree that an attorney sending an electronic document has a duty to exercise reasonable care to avoid unintentionally disclosing confidential information. But what is “reasonable” depends on the circumstances.

Alice Mine, assistant executive director and ethics counsel of the North Carolina State Bar, refers to an ethics opinion issued by her state’s bar in January 2010. The opinion asserts that what is reasonable depends on such variables as the sensitivity of the confidential information, the potential adverse consequences from the inadvertent disclosure, any special instructions or expectations of a client and the steps that the lawyer takes to prevent the disclosure of metadata. The State Bar of Arizona’s Ethics Committee includes some of the same criteria, and adds that what is “reasonable” may also depend on “whether further disclosure is restricted by statute, protective order, or confidentiality agreement.”

Duty to Notify

A lawyer receiving metadata faces his own ethical questions.

A 2006 ABA ethics opinion “does not squarely address whether a lawyer has a duty to notify the sender of a document when the document was intentionally sent but happened to contain privileged metadata,” Perlman says. The ABA proposes to address that issue by amending Rule 4.4 of the ABA Model Rules of Professional Conduct, which says that a lawyer who receives a “document” that he knows or should know was inadvertently sent should notify the sender. The amendment would replace the word “document” with “information or material” to include metadata.

The proposed amendment is currently open to the public and the Bar for comments, and the resolution, in its original form or amended, will be presented for a vote by the ABA House of Delegates in August 2012.

Most state bar opinions agree with the proposed ABA model rule on recipient responsibility, but some differ. Maryland does not require the recipient to notify the sender, but states that “the receiving attorney can, and probably should, communicate with his or her client concerning the pros and cons of whether to notify the sending attorney.” Alabama and Maine do not directly address this issue in their opinions.

Metadata Mining

State bar ethics opinions vary most widely on whether the recipient of inadvertently disclosed metadata has a right to examine or “mine” the information. The state bar associations of Colorado, Maryland and Pennsylvania agree with the position expressed in the 2006 ABA opinion, which concludes that the Model Rules of Professional Conduct permit a lawyer to review and use metadata contained in electronic documents.

The state bars of Alabama, Arizona, Florida, Maine, North Carolina and New York agree that a lawyer may not ethically search for confidential information inadvertently embedded within an electronic communication from another party. “To do so would undermine the protection afforded to confidential information … and would interfere with the client-lawyer relationship of another lawyer,” states the North Carolina opinion.

Colorado; Washington, D.C.; and West Virginia permit metadata mining unless the recipient knows that the metadata was inadvertently sent.

Both Minnesota and Pennsylvania avoid a bright-line rule on metadata mining and state that the determination is fact-specific.